apparmor: Permit new capabilities required by libvirtd

The audit log contains the following denials from libvirtd

apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17  capname="sys_rawio"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39  capname="bpf"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38  capname="perfmon"

Squelch the denials and allow the capabilities in the libvirtd
apparmor profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Jim Fehlig 2021-06-07 16:21:28 -06:00
parent 55aaa1b037
commit 4f2811eb81

View File

@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
capability fsetid, capability fsetid,
capability audit_write, capability audit_write,
capability ipc_lock, capability ipc_lock,
capability sys_rawio,
capability bpf,
capability perfmon,
# Needed for vfio # Needed for vfio
capability sys_resource, capability sys_resource,